I am trying to Intercept all usb devices(Storage, Mobile phone, Camera etc) attached to computer.
First I try lower filter driver to usb hub controller, and execute a sample code, It successfully detect all URBs of any usb device attach to system using during ioctl (URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER), but problem is, I didn’t identify(differentiate) the user message and system messages, If I block write URBs than It couldn’t even mount the usb device.
Second I try Upper filter attach to usb class, It is detecting the usb storage device and HID devices, But problem is, Some devices like samsung mobile isn’t detect by filter attached to usb class, until I attach filter to WPD (window portable devices) class.
I also try mini-filter, but they are very limited, I think they can only intercept volumes and file-system that are currently mounted, and I didn’t know how different usb storage device are mounted in windows
Can any one give me idea (best direction):
What is best method to intercept all usb based devices (User messages ‘read/write’)
- Upper filter attached to different classes ?
- Lower filter to usb hubs (all usb ports) ?
- Any other Idea ?
Thank you very much!
xxxxx@gmail.com wrote:
I am trying to Intercept all usb devices(Storage, Mobile phone, Camera etc) attached to computer.
First I try lower filter driver to usb hub controller, and execute a sample code, It successfully detect all URBs of any usb device attach to system using during ioctl (URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER), but problem is, I didn’t identify(differentiate) the user message and system messages,
There is no difference between “user messages” and “system messages”.
The concept does not exist. What did you mean by that?
If I block write URBs than It couldn’t even mount the usb device.
What are you actually trying to do here? Clearly, you have succeeded in
“intercepting” USB devices. That, apparently, was not really your
goal. What’s the larger goal you’re trying to achieve?
USB device classes do not have anything in common. There is no single
rule you can apply that will let you control access in any sane way.
Can any one give me idea (best direction):
What is best method to intercept all usb based devices (User messages ‘read/write’)
You are already doing that. Clearly, “intercepting” is not what you
really want to do. Once you understand more about USB, I think you’ll
see that what you’re actually trying to do is silly.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Thank you for your response.
> What are you actually trying to do here? Clearly, you have succeeded in
“intercepting” USB devices. That, apparently, was not really your
goal. What’s the larger goal you’re trying to achieve?
I am trying to implement policies on different usb based devices for read-only, read-write and completely block, using either
- upper filter attach on different (usb based) device classes, or
2.lower filter to usb hub controllers,
In a fashion, to deny IRP_MJ_WRITE or work with other major functions.
>You are already doing that. Clearly, “intercepting” is not what you
really want to do. Once you understand more about USB, I think you’ll
see that what you’re actually trying to do is silly.
Actually I am at start of creating this work, later on I will control these policies(for different usb devices) from user space. Once any USB based device is attach to system, filter driver should detect and differentiate it (using vid etc), and start Intercepting It.
So I want some suggestions, what would be efficient method to achieve this ??
Thank you!
xxxxx@gmail.com wrote:
I am trying to implement policies on different usb based devices for read-only, read-write and completely block, using either
- upper filter attach on different (usb based) device classes, or
2.lower filter to usb hub controllers,
In a fashion, to deny IRP_MJ_WRITE or work with other major functions.
Before we begin, you should know that I have a history of going on
tirades against projects whose sole purpose is to INHIBIT the normal
functioning of my computer, rather than to ENHANCE it.
Your goal is hopeless. The very concept of IRP_MJ_WRITE has no meaning
in the USB world. USB requests are all handled as USB Request Blocks,
sent via an internal ioctl. The meaning and purpose of those URBs
varies wildly from device class to device class.
How can you possibly decide which requests to block? How can you
possibly know whether a given vendor request involves a “write”
operation? Many devices use vendor requests to read and write
registers. If those requests are blocked, the device does not operate
(or maybe does not stop operating – you can’t know that).
What does “read-only” mean for a set of speakers? For a video camera?
For a fake serial port? For a wireless network device?
There are already group policies in Windows to control access to USB
disk drives. That is approximately the best you can do.
Actually I am at start of creating this work, later on I will control these policies(for different usb devices) from user space. Once any USB based device is attach to system, filter driver should detect and differentiate it (using vid etc), and start Intercepting It.
So I want some suggestions, what would be efficient method to achieve this ??
The most efficient method is to set down your pad and paper and walk
away. Go find a project that is achievable and beneficial.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
> Before we begin, you should know that I have a history of going on tirades against projects
whose sole purpose is to INHIBIT the normal functioning of my computer, rather than
to ENHANCE it.
“Unkillable process” thread is already waiting for you then…
Anton Bassov
On Wed, May 20, 2015 at 1:26 AM, Tim Roberts wrote:
> Before we begin, you should know that I have a history of going on
> tirades against projects whose sole purpose is to INHIBIT the normal
> functioning of my computer, rather than to ENHANCE it.
Unfortunately this is the norm in the corporate world. IT department
wants to control the normal functioning of the computer, because
the computer is not YOUR computer.
>> So I want some suggestions, what would be efficient method to
>> achieve this ??
>
> The most efficient method is to set down your pad and paper and walk
> away. Go find a project that is achievable and beneficial.
The most efficient way is to have the company policies which clearly
stated what is allowed and what is not allowed. Then adjust the
policy based on the balance of IT security and the need to get
things done efficiently.
Technical means can be used to audit as well, for example,
monitoring the user system and report suspected behavior to
the IT and the user’s manager.
Pure technical means do not work. The policy is there to serve
as a deterrent and usually works, at least for more matured economy.
–
Xiaofan
On Mon, May 18, 2015 at 11:26 PM, wrote:
> Second I try Upper filter attach to usb class, It is detecting the usb
> storage device and HID devices, But problem is, Some devices like
> samsung mobile isn’t detect by filter attached to usb class, until I attach
> filter to WPD (window portable devices) class.
Last time libusb-win32 filter (upper-filter) tried to do that by default.
But then all kinds of BSOD happened once Windows Vista was
released.
So we have disabled that feature but those who want to try
can still do it. By default, the GUI filter wizard only attach the
filter to a certain device. But the command line filter installer
can be installed as a class upper filter.
Ref: http://sourceforge.net/p/libusb-win32/code/HEAD/tree/trunk/libusb/src/install-filter-help.txt
On the other hand, the filter does not work for many device
based on the reports (we disabled the hub class actually),
including many based on UMDF.
–
Xiaofan